Mercurial > prosody-modules
comparison mod_rest/mod_rest.lua @ 5678:0cffeff2cd1d
mod_rest: Limit payload size (cf stanza size limits)
Otherwise the limit would be defined by the HTTP stack.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 25 Oct 2023 15:36:20 +0200 |
| parents | 5b316088bef5 |
| children |
comparison
equal
deleted
inserted
replaced
| 5677:a5089978928a | 5678:0cffeff2cd1d |
|---|---|
| 17 local have_cbor, cbor = pcall(require, "cbor"); | 17 local have_cbor, cbor = pcall(require, "cbor"); |
| 18 | 18 |
| 19 local jsonmap = module:require"jsonmap"; | 19 local jsonmap = module:require"jsonmap"; |
| 20 | 20 |
| 21 local tokens = module:depends("tokenauth"); | 21 local tokens = module:depends("tokenauth"); |
| 22 | |
| 23 -- Lower than the default c2s size limit to account for possible JSON->XML size increase | |
| 24 local stanza_size_limit = module:get_option_number("rest_stanza_size_limit", 1024 * 192); | |
| 22 | 25 |
| 23 local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }); | 26 local auth_mechanisms = module:get_option_set("rest_auth_mechanisms", { "Basic", "Bearer" }); |
| 24 | 27 |
| 25 local www_authenticate_header; | 28 local www_authenticate_header; |
| 26 do | 29 do |
| 275 from = { code = 422; type = "modify"; condition = "invalid-from"; text = "Invalid source JID" }; | 278 from = { code = 422; type = "modify"; condition = "invalid-from"; text = "Invalid source JID" }; |
| 276 from_auth = { code = 403; type = "auth"; condition = "not-authorized"; text = "Not authorized to send stanza with requested 'from'" }; | 279 from_auth = { code = 403; type = "auth"; condition = "not-authorized"; text = "Not authorized to send stanza with requested 'from'" }; |
| 277 iq_type = { code = 422; type = "modify"; condition = "invalid-xml"; text = "'iq' stanza must be of type 'get' or 'set'" }; | 280 iq_type = { code = 422; type = "modify"; condition = "invalid-xml"; text = "'iq' stanza must be of type 'get' or 'set'" }; |
| 278 iq_tags = { code = 422; type = "modify"; condition = "bad-format"; text = "'iq' stanza must have exactly one child tag" }; | 281 iq_tags = { code = 422; type = "modify"; condition = "bad-format"; text = "'iq' stanza must have exactly one child tag" }; |
| 279 mediatype = { code = 415; type = "cancel"; condition = "bad-format"; text = "Unsupported media type" }; | 282 mediatype = { code = 415; type = "cancel"; condition = "bad-format"; text = "Unsupported media type" }; |
| 283 size = { code = 413; type = "modify"; condition = "resource-constraint", text = "Payload too large" }; | |
| 280 }); | 284 }); |
| 281 | 285 |
| 282 -- GET → iq-get | 286 -- GET → iq-get |
| 283 local function parse_request(request, path) | 287 local function parse_request(request, path) |
| 284 if path and request.method == "GET" then | 288 if path and request.method == "GET" then |
| 310 end | 314 end |
| 311 from = jid.join(origin.username, origin.host, origin.resource); | 315 from = jid.join(origin.username, origin.host, origin.resource); |
| 312 origin.full_jid = from; | 316 origin.full_jid = from; |
| 313 origin.type = "c2s"; | 317 origin.type = "c2s"; |
| 314 origin.log = log; | 318 origin.log = log; |
| 319 end | |
| 320 if type(request.body) == "string" and #request.body > stanza_size_limit then | |
| 321 return post_errors.new("size", { size = #request.body; limit = stanza_size_limit }); | |
| 315 end | 322 end |
| 316 local payload, err = parse_request(request, path); | 323 local payload, err = parse_request(request, path); |
| 317 if not payload then | 324 if not payload then |
| 318 -- parse fail | 325 -- parse fail |
| 319 local ctx = { error = err, type = request.headers.content_type, data = request.body, }; | 326 local ctx = { error = err, type = request.headers.content_type, data = request.body, }; |